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Listing of Claims: 

J . (currently amended) A method comprising the steps of; 

generating a random number, an expected response, and a derived cipher key associated with 
securing air interface communications with a mobile station; 

forwarding the random number and a random seed to a base station that is located in a first pool 
of only infrastnicture_ deviccs that arc other than a mobile station , wherein the first pool is 
associated with an intrakey used only for encrypting key material that is distributed within the 
first pool; 

receiving, from the base station, a response to the random number and the random seed; 
comparing the response and the expected response; and 

when the response matches the expected response, encrypting the derived cipher key using the 
intrakey and forwarding the encrypted derived cipher key to the base station. 

2. (previously presented) The method of claim 1, further comprising tlie step of, when the 
response does not match the exi^ected response, discarding the derived cipher key without 
encrypting the derived cipher key and forwaiding the encrypted derived cipher key to the base 
station. 

3. (original) The method of claim 2, further comprising the step of sending a failed 
authentication message to the base station. 

4. (original) The method of claim. 1 , wherein the expected response is generated at least 
indirectly from the random number and the random seed. 
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5. (original) The method of claim 1 , wherein the derived cipher key is generated at least 
indirectly from the random number and the random seed. 

6- (original) The method of claim 1, wherein the derived cipher key is stored at a visited 
location register. 

7. (previously presented) The metliod of claim 6, wherein the derived cipher key is 
encrypted using the intrakey before being stored at the visited location register. 

8. (original) The method of claim 1 , wherein the derived cipher key is stored at a home 
location register. 

9. (previously presented) The method of claim 8, wherein the derived cipher key is 
encrypted using the intrakey before being stored at the home location register 

10. (original) The method of claim 1, wherein the steps arc performed by a icone controller. 

11. (original) The metliod of claim 1, wherein the steps are performed by a visited location 
register. 

12. (original) ITne method of claim 1, wherein the response is generated by a mobile station. 

13. (previously presented) The method of claim 1, wherein the first pool comprises a tirst 
7,one- 

14. (original) The method of claim 1, wherein any of a base site and a TETRA site controller 
takes the place of the base station. 
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15. (previously presented) The method of claim 1, further coTnprising the steps of: 

receiving, from the base station, a second random number generated by the mobile station; 

generating a second derived cipher key and a second response to the second random number and 
forwarding tlie second re5poni>e to the base station, the second derived cipher key also as^scKiated 
witli securing the air interface communications with the mobile station; 

combining the derived cipher key and the second derived cipher key, yielding a third derived 
cipher key used for encrypting the air interface communications with the mobile station; 

when a positive authentication message is received from the base station, encryptmg tlic third 
derived cipher key using the intrakey and forwarding the encrypted third derived cipher key to 
the base station. 
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16. (currently amended) A method perfomied by any of a ba.se station that is located in a 
first pool of only infrastructure devices that are other than a mobile station and comprising the 
steps of: 

receiving an authentication request from a mobile station; 
determining whether to forward the request to an authentication agent; 

when it is determined to forward the request, forwarding the request to the authentication agent; 

receiving a random number and a random seed from the authentication agent; 

forwarding the random number and the random seed to the mobile station; 

receiving a response to the random number and the random seed from the mobile station and 
forwarding the response to the authentication agent; 

when the authentication agent authenticates the mobile station, receiving from the authentication 
agent a derived cipher key that is encrypted using an inirakey associated with the first pool and 
used only f or encrypting key material that is distributed within the tirst pool; and 

encrypting messages to the mobile station and dccryptmg messages from the mobile station with 
the derived cipher key. 

17. (original) The method of claim 16, further comprising the step of, when the 
authentication agent sends a negative authentication to the base station, forwarding the negative 
authentication to the mobile station. 

18. (original) The method of claim 16, wherein the authentication agent is a zone controller. 
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19. (original ) The method of claim 16, wherein the authentication agent is a visited location 
register. 

20. (previously presented) The method of claim 16, wherein the first pool comprises a first 
zone. 

21 . (original) The method of cJainn 1 6, wherein any of a base site and a TETRA $ite 
controller takes the place of the base st^ation. 

22. (previously presented) The method of claim 1 6 further comprising the steps of: 
receiving a second random number from the mobile station; 

forwarding the second random ntmiber to the authentication agent; 

receiving a second response to the second random number from the authentication agent; 

forwarding the second resp>on;;e to the mobile station; 

when the mobile station authenticate;; tlic infrastructure, forwarding an authenticated message to 
the authentication agent; 

receiving a second derived cipher key from the authentication agent, wherein the second derived 
cipher key is encrypted using the intrakey; and 

encrypting messages to the mobile station and decrypting messages from the mobile station with 
the second derived cipher key. 
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23» (currently amended) A method comprising the steps of: 

receiving. Item a base station, a random number generated by a mobile station, wherein the base 
station is located in a first pool of only infrastmcturc devices that are other than a mobile station , 
and the first pool is associated with an intrakey used onl^for encrypting key material that is 
distributed with the first pool; 

using a random seed, generating a derived cipher key associated with securing air interface 
communications with the mobile station and a response to the random number and forwarditig 
the random seed and the response to the base station; 

when a positive authentication message is received from the base station, encrypting the derived 
cipher key using tlie intrakey and forwarding the encrypted derived cipher key to the base 
station. 

24. (previously presented) The method of claim 23, further comprismg the step of, when a 
negative authentication message is received from the base station, discarding the derived cipher 
key without encrypting the derived cipher key and forwarding the cncrj^tcd derived cipher key 
to the ba.se station. 

25. (original) The method of claim 23, wherein the response is generated at least indirectly 
from tlie random number and the random seed. 

26. (original) The method of claim 23. wherein the derived cipher key is generated at lea.st 
indirectly from the random number and the random seed. 

27. (original) The method of claim 23, wherein the derived cipher key is stored at a visited 
location register. 
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28. (previously presented) The method of claim 27, wherein the derived cipher key is 
encrypted using the intrakey before beuig stored at the visited location register. 

29. (original) Tlie method of claim 23, wherein the derived cipher key is stored at a home 
location register, 

30. (previously presented) The method of claim 29, wherein the derived cipher key is 
encrypted using the intrakey before being_stored at the home location register. 

31. (original) The mediod of claim 23, wherein the steps are performed by a zone controller. 

32. (original) The metliod of claim 23, wherein the steps are performed by a visited location 
register- 
SB. (previously presented) The method of claim 23, wherein the first pool comprises a first 

zone. 

34. (original) The method of claim 23, wherein any of a base site and a TETRA site 
controller takes tlie place of the base station. 

35. (original) The method of claim 23, wherein the method is of a mutual authentication 
process. 
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36. (curremly amended) A method performed by a base station that is located in a first pool 
of only infrastructure_d evices that arc other than a mobile station and comprising the steps of: 

receiving a random number from a mobile station; 

forwarding the random number to an authentication agent: 

receiving a response to the random number and a random seed from the authentication agent; 
forwai'ding the response and the random seed to the mobile station; 

when the mobile station authenticates the infrastructure, forwarding an authenticated message to 
the authentication agent; 

receiving from the authentication agent a derived cipher Jcey that is encrypted using an intrakey 
a^iHOciated with the first pool and used onlv f or encrypting key material that is distributed within 
the first pool. 

encrypting messages to the mobile station and decrypting messages firom the mobile station with 
the derived q dori^^cd cipher key. 

37. (original) The method of claim 36, further comprising the step of, when the mobile 
station .sends a negative authentication to the base station, forwarding the negative authentication 
to the authentication agent, which discards the derived cipher key. 

38. (original) Tlie method of claim 36, wherein the audientication agent is a zone controller. 

39. (original) The method of claim 36, wherein the authentication agent is a visited location 
register. 
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40. (previously presented) The method of claim 36, wherein the first pool comprises a first 
zone- 

41. (original) The method of claim 36, wherein any of a base site and a TETRA site 
controller takes the place of the base station. 

42. (withdrawn) A system comprising: 

a fust system device in a first zone of tlie system, the first system device comprised of memory 
for storing: 

first zone session authentication information, 

an intrakey associated with the first zone for encrypting at least one of a part of the first 
zone session authentication information and additional key material for transport in real-time 
to another system device in the first zone, and 

an interkey. for encrypting at least a segment of the first zone session authentication 
information for transport to a system device in a zone other than the first zone; 

a second system device comprised of memory for storing the first zone session authentication 
information at least partially in an encrypted form, 

43. (withdrawn) The system of claim 42, wherein the first system device is a zone controller. 

44. (withdrawn) The system of claim 42, wherein the first system device is a visited location 
register. 

45. (withdrawn) The system of claim 42, wherein the first system device is a home location 
register. 
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46. (withdrawn) The system of claim 42, wherein the second system device is a zone 
manager. 

47. (withdrawn) Ttie system of claim 42, wherein the anothei- system device in the first zone 
is any of a base station, a base site, and a TETRA site controller. 

48. (withdrawn) The system of claim 42, wherein the first zone session authentication 
information is stored at least partially encrypted in the first system device. 

49. (cancelled) 

50. (cancelled) 

51. (caccelled) 

52. (withdrawn) Tlie system of claim 42, fuither comprismg: 

a third system device in a second zone of the system, tlic third system device comprised of 
memory for storing: 

second 70ne session authentication information, 

an intrakey associated with the second zone for encrypting at least one of a part of the 
second zone session authentication information and additional key material for transport in 
real-time to another system, device m the second zone, and 

the intcrkey for encrypting at least a segment of tlic second zone session authentication 
information for transport to a system device in a zone other than the second zone. 
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53. (withdrawn) The system of claim 52, wherein the third system device is a zone 
control) er» 

54. (withdrawn) Tlie system of claim 52» wherein the third system device is a visited 
location register, 

55. (withdrawn) The system of claim 52, wherein the third system device a home location 
register. 

56. (withdrawn) The system of claim 52. wherein the auotJber system device in the second 
zone is any of a base station* a base site, and a TETRA site controller* 

57. (withdrawn) The Siystem of claim 52, wherein tlic second zone session authentication 
information is stored at least partially encrypted in the third system device, 

58. (cancelled) 

59. (withdrawn) The system of claim 52, further comprising a fourth system device 
comprised of memory for storing the second zone session authentication information at least 
partially in encrypted form. 

60. (withdrawn) The system of claim 59, wherein the fourth system device is a zone 
manager. 

61. (withdrawn) The system of claim 59, further comprising a fifth system device comprised 
of memory for storing system session authentication information comprising at least the first 
zone session authentication information and the second zone session mithentication mformation 
at least partially in encrypted form. 
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62. (withdrawn) The system of claim 61 , wherein the fifth system device is a user 
configuration server. 

63. (withdrawn) The system of claim 61, further comprisuig: 
a sixth system device comprised of; 

memory for storing authentication key information; 

a processor, operably coupled to the memory, the processor arranged and constructed to 
generate the system session authentication information from the authentication key 
information, and encrypt the system session authentication Information for transport to at 
least the tifth system device in non-re al-thne. 

64. (withdrawn) The system of claim 63, wherein the sixth system device is an 
authentication center. 

65. (withdrawn) The system of claim 63, wherein the sixth system device is a key 
management facility. 

66. (withdravm) The system of claim 63, wherein the authentication key information is 
hardware encrypted before storage in the sixth device* 

67. (withdrawn) The system of claim 63, wherem the session autlientication information 
comprises at least two keys utilized in an encryption authentication process. 
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68, (withdrawn) A method comprising the steps of: 

generating session authentication information for each of a plurality of authentication keys for 
use in a communication system; 

encrypting the session authentication information using an interkey that is shared by a set of at 
least two zones of devices for encrypting key material that is distributed to at least one zone in 
the set of zones; 

forwarding the encrypted session authentication information to a storage device for access in a 
non-real-time manner. 

69. (withdrawn) The method of claim 68, further comprising the step of storing the plurality 
of keys as encrypted data. 

70» (wididrawn) The method of claim 69, wherein at least one of the plurality of keys is 
encrypted by a hardware-based encryption device. 

7L (withdrawn) The method of claim 68, wherein the session authentication information is 
encrypted by a .software-based encryption device. 

72. (cancelled) 

73. (withdrawn) The method of claim 68, wherein die storage device is a user configuration 
server. 

74. (withdrawn) The method of claim 68, further comprising the iitep of forwarding, by the 
storage device, at least a part of the encrypted session authentication information to a first system 
device at a zone in the .sec of zones in a non-real-time manner. 
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75, (withdrawn) The method oP claim 74, wherein the part of the encrypted session 
authentication information includes session autlienticatlon information for at least one mobile 
station registered at the zone. 

76- (withdrawn) The method of claim 74, further comprising the step of forwarding, by the 
first system device, at least some of the at least a part of the encrypted session authentication 
information to a home location register at the zone in a non-real-time manner. 

77. (withdrawn) The method of claim 76, further comprising the step of decrypting, by the 
second system device, the at least some of the at least a part of the encrypted session 
authentication information, yielding decrypted session authentication information. 

78. (withdrawn) The method of claim 77, further comprising the step of encrypting, by the 
second system device, at least a part of the decrypted session authentication information, 
yielding re-encrypted session authentication information, 

79. (withdrawn) The method of claim 78 wherein the step of encrypting at least the part of 
tlic decrypted session authentication information comprises the step of encrypting the at least the 
part of the decrypted session authentication information using an inirakey associated with the 
zone and used for encrypting key material that is distributed within the zone. 

80* (withdrawn) The method of claim 78, wherein the step of encrypting at least the part of 
the decrypted session authentication information comprises the step of encrypting the at least the 
part of the decrypted session authentication information usmg the interkey. 

81 . (withdrawn) The method of claim 78, further comprising the step of forwarding, by the 
second system device, the re-encrypted session aatlientication information to a third system 
device in a real-time manner. 

82. (withdrawn) The method of claim 78, wherein the session authentication information 
comprises at least two keys utilized m an encryption authentication process. 
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83. (withdrawn) A system comprising: 

a key management facility, arranged and constructed to store an authentication key for each 
mobile station re^siding in the system; 

a user configuration server, operabiy coupled to the key management facility, arranged and 
constructed to store and distribute session authentication information for each mobile station 
residing in tlie system; 

a zone manager, operabiy coupled to the user configuration server, arranged and constnictcd to 
store relevant session authentication information for a zone managed by the zone manager and to 
distribute the relevant session authentication information to a home location register within a 
zone controller for the zone; 

wherein the key management facility, user configuration server, and the zone manager are 
arranged and constructed to provide the session authentication information to each other or to a 
zone in the event of a fault in the system; 

wherein the home location register is arranged and constructed to continue to provide 
authentication and suppoit secure communications in the event of a fault at ai^y of the key 
management facility, user configuration server, and the zone manager. 

84. (withdrawn) Tlie system of claim 83, further comprising a visited location register, 
arranged and constructed to continue to provide authentication and support secure 
communications in the event of a fault at any of the key management facility, user configiuration 
server, and the /one manager, and wherein at least part of the relevant session audientication 
information is distributed to the visited location register. 

85. (withdrawn) The system of claim 83, wherein the zone controller generates a derived 
cipher key from the session authentication information during an audientication process. 
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86. (withdrawn) The system of claim 83, wherein the session authentication ipFomiaiiou 
comprises at least two keys utilized in an encryption authentication process. 

87. (witlidrawn) A system comprising: 

a plurality of first-level system devices, aixanged and constructed to encrypt, store, and forward 
at least some session authenticarion information in a non-real-time manner, wherein at least one 
of the plurality of first-level system devices is arranged and constructed to encrypt the session 
authentication bformation using an interkey that is shared by a set of at least two zones of 
devices for encrypting key material that is distributed to at least one zone in the set of /.ones; 

a plurality of second-level system devices, arranged and constructed into the set of zones to 
receive at least a part of the encrypted session authentication information from at least one of the 
plurality of first-level system devices in a real-time manner. 

88. (witlidrawn) Hie system of claim 87. wherein at least one of the plurality of first-level 
system devices generates the session authentication infonnation. 

89. (withdrawn) The system of claim 87, wherein the plurality of second-level system 
devices authenticates one or more mobile stations in a real-time maimer based on the session 
authentication information. 

90. (withdrawn) The system of claim 87, wherein the plurality of first-level system devices 
comprises a key management facility, a user configuration server, and at least one zone manager. 

91 . (withdrawn) The system of claim 87, wherein the plurality of second-level system 
devices comprises at least one zone controller and at least one base station ► 

92. (cancelled) 
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93. (withdrawn) The system of claim 87, wherein the plurality of second-level system 
devices is arranged and constructed to encrypt at least a segment of the session uuthentication 
information using the interkey when the encrypted session authentication information is 
forwarded to a system device in a zone other than the zone in which the Ibrwarding device is 
located. 



94, (withdrawn) The system of claim 87, wherein the plurality of second-level system 
devices is arranged and constructed to encrypt at least a segment of the session authentication 
information using one of an intrakey associated with a 7.one in which the forwarding device is 
located and used for encrypting key material that is distributed within that zone and the interkey 
when the encrypted se.ssion authentication information is forwarded to a system device in a zone 
in which the forwarding device is located. 
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95. (withdrawn) A method comprising the steps of: 

receivings from a mobile station, a request to commimicate in a communication system; 
determining whether the request is encrypted; 

when the request is not encrypted, sending a request to authenticate the mobile station to an 
infrastructure device in the communication system; 

when the request is cnciypted, determining whether the mobile station is powering up; 

when the mobile station is powering up and the request is encrypted, sending a request to 
authenticate the mobile station to the infiastructure device in the communication system; 

when the mobile station is not powering up and the request is encrypted* determining whether the 
request is encrypted using a valid key; 

when the mobile station is not powering up and the request is encrypted using a valid key, 
permitting tlic mobile station access to the system without requesting authentication. 

96. (withdrawn) The method of claim 95, further comprising the steps of; 

storing authentication requests during a time period when the infrastructure device is not 
available; 

when the infrastructure device becomes available, forwarding the stored audientication requests 
to the infrastructure device. 
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97. (witlidrawn) A method comprising the steps of: 

receiving, from a mobile station, a request to communicate in a communication system; 
determining whether the mobile station is powering up; 

when the mobile station is powering up, sending a request to authenticate the mobile station to an 
infrastructure device in the conmiunication system; 

when the mobile station is not powering up, determining whether the request is encrypted; 

when the request is not encrypted* sending a request to authenticate the mobile station to an 
infrastructure device in the communication system; 

when the mobile station is not powering up and the request is encrypted, determinmg whether the 
request is encrypted using a valid key; 

when the mobile station is not powering up and the request is encrypted using a valid key, 
pennitting tlic mobile station access to the system without requesting authentication. 

98. (withdrawn) The method of claim 97, further comprising the steps of: 

storing authentication requests during a time period when the infrastructure device is not 
available; 

when the infrastructure device becomes available, forwardijig the stored authentication requests 
to the infrastructure device. 
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